Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-8752

Inconsistency in the Cockpit permission error messages

    XMLWordPrintable

Details

    Description

      1. Scenario:
      • Me, as an user, has only permissions to read a process instance.
      • There exist an variable in a running process instance
      • Me tries to update the variable via cockpit.
      • Cockpit shows me the message Variable :The variable 'test' could not be changed successfully.
      • But in the console I see: 
        16-Feb-2018 09:55:56.054 WARNING [http-nio-8080-exec-12] org.camunda.bpm.engine.rest.exception.ProcessEngineExceptionHandler.toResponse org.camunda.bpm.engine.AuthorizationException: The user with id 'john' does not have one of the following permissions: 'UPDATE' permission on resource 'b365d4a0-12f6-11e8-ba9c-0242debfd039' of type 'ProcessInstance' or 'UPDATE_INSTANCE' permission on resource 'Process_1' of type 'ProcessDefinition'
        at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:232)
        at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:189)
        at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstance(AuthorizationCommandChecker.java:204)
        at org.camunda.bpm.engine.impl.cmd.SetExecutionVariablesCmd.checkSetExecutionVariables(SetExecutionVariablesCmd.java:64)
        at org.camunda.bpm.engine.impl.cmd.SetExecutionVariablesCmd.getEntity(SetExecutionVariablesCmd.java:46)
        at org.camunda.bpm.engine.impl.cmd.SetExecutionVariablesCmd.getEntity(SetExecutionVariablesCmd.java:29)
        at org.camunda.bpm.engine.impl.cmd.AbstractVariableCmd.execute(AbstractVariableCmd.java:49)
        at org.camunda.bpm.engine.impl.cmd.AbstractPatchVariablesCmd.execute(AbstractPatchVariablesCmd.java:43)
        at org.camunda.bpm.engine.impl.cmd.AbstractPatchVariablesCmd.execute(AbstractPatchVariablesCmd.java:26)
        at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)
        at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:104)
        at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:66)
        at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30)
        at org.camunda.bpm.engine.impl.RuntimeServiceImpl.updateVariables(RuntimeServiceImpl.java:410)
        at org.camunda.bpm.engine.impl.RuntimeServiceImpl.updateVariablesLocal(RuntimeServiceImpl.java:405)
        at org.camunda.bpm.engine.rest.sub.runtime.impl.LocalExecutionVariablesResource.updateVariableEntities(LocalExecutionVariablesResource.java:40)
        at org.camunda.bpm.engine.rest.sub.impl.AbstractVariablesResource.modifyVariables(AbstractVariablesResource.java:207)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
        at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
        at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
        at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
        at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
        at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
        at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
        at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
        at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
        at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.camunda.bpm.engine.rest.filter.EmptyBodyFilter.doFilter(EmptyBodyFilter.java:95)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67)
        at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:58)
        at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56)
        at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:40)
        at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)

      If we try to modify the running process instance we see the exception message direct in cockpit.
      Could not apply modification :The user with id 'john' does not have one of the following permissions: 'UPDATE' permission on resource 'b365d4a0-12f6-11e8-ba9c-0242debfd039' of type 'ProcessInstance' or 'UPDATE_INSTANCE' permission on resource 'Process_1' of type 'ProcessDefinition'

      This seems for the user a bit inconsistent.

      1. How to reproduce
      • Run tomcat 7.8.1
      • create the exampleWarProject and deploy it
      • Login as demo
      • Adjust Permissions for sales group:
        • Sales group needs to have access to cockpit
        • On Process definition level they need READ, READ_INSTANCE, READ_HISTORY permission
        • On process instance level they need READ permission
      • start process (with test variable) with Demo user
      • login with john
      • open cockpit and try to update variable
      • message is shown in cockpit and error is printed in the log (server/apache-tomcat-8.0.47/logs/catalina.out)
      • if you try to modify the process instance you get the exception message in cockpit

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              michael.schoettes Michael Schoettes
              christopher.zell Christopher Kujawa
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce